Flipping the economy of a Hacker

Palo Alto Networks partnered with the Ponemon Institute to answer a very specific question: what is the economic incentive for adversaries?

Ponemon was chosen as they have a history of crafting well respected cybersecurity research, including their well know annual “cost of a data breach” reports. The findings are based on surveys and interviews with Cybersecurity experts, including current or former attacks. These are all individuals who live and breathe security, many of whom have conducted attacks. Nearly 400 individuals were part of the research, across the United States, Germany and the United Kingdom.

When you think about security research, most of the focus has been on how attackers get in, and the damage they cause once they are inside. We set out to approach this problem from a completely different angle: understand the economic motivations of an attack, the factors that influence this, and be able to leverage this data to help organizations better respond to attacks. If we can remove the motivation, we can decrease the number of successful attacks. It is as simple as that.

There are clear highlights I believe that can influence your understanding of attackers, and influence your ability to defend yourself from them:

The majority of attackers (72 percent) were opportunistic, not wasting time on efforts that do not quickly yield high-value information. While advanced nation state actors employ lots of planning, think about the average attacker as the mugger on the street, versus “Ocean’s Eleven” crew that spends weeks planning a complicated high stakes heist. When put into this context, organizations that prioritize making themselves a harder target, will actively deter a significant amount of potential breaches.

There is a common notion that they are in for a big payday. This is really the exception, rather than the rule, with average annual earnings from malicious activity totaling less than $30,000, which is a quarter of a cybersecurity professional’s average yearly wage. This limited earning power becomes even less attractive when you consider the added legal risks including fines and jail time.

Time is the defining factor to change the adversary’s arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We found that increasing the time it takes to break into and carry out successful attacks by less than 2 days (40 hours), will deter the vast majority of attacks.

Finally, it is all about how you protect yourself. Because attackers are so opportunistic, and their time is so valuable, we can change the attack equation with next-generation security approaches. We found that organizations rated as having “excellent” security took twice as long to breach, when compared to those rated as “typical.” Putting the right security in place makes all the difference.

To understand how to influence an attacker’s economic motivation, we must consider what I call the “adversary arithmetic,” which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. What we have seen is simple, more malware and exploits, more effective toolkits, combined with cheaper computing power has lowered the “barrier to entry” for an attack, and resulted in the increase in attacks we covered in the last slide.

Using the survey finding as a guideline, let’s walk through what we can do to reverse this trend.

It is a random mugging, not a robbery. Data suggests that majority of adversaries are motivated by quick and easy financial gain. As opposed to a “movie script heist”, attackers are looking for opportunistic street “muggings” that take advantage of easy targets. About 69% of them are motivated by profit, 72% of the attacks are opportunistic.

The primary motivation of attackers is profit! This will guide every other finding in this report, and how we shape our responses. It is important to note that there is a spectrum of malicious actors, and organizations must always maintain awareness of potentially dangerous, highly targeted attacks, or nation-state led activity such as cyber espionage or cyber warfare. However, if we can disincentive anywhere near that number of attackers, we will be making a huge dent in the threat landscape.

The majority of attackers are opportunistic, meaning they are looking for the quick and easy job. When put into this context, organizations that prioritize making themselves a harder target, will actively deter a significant amount of potential breaches.

Ponemon suggests that the financial motivation for profit is being supported by a decline in the cost for conducting an attack. 56% of respondents believed that time & resources required to conduct successful attacks have gone down. This is the proof behind the cost curve, and why it is more important than ever to focus on increasing the cost. We cannot allow adversaries to maintain this “edge,” as they will continue to erode our trust in the Internet, if we allow this to happen. Let’s look at the reasons behind this cost decrease.

It is not enough to know that costs are decreasing, we must examine why this is occurring, in order to combat each reason. From the survey results, we see a few key facts bubble to the surface:

There are more available malware and exploits, as we discussed in the “adversary arithmetic,” being the largest factor at 64%.

Next, we see an interesting trend, with 47% citing increased attacker skills. It is not all about the availability of threats, but the sharing of best practices and learning.

47% claim better attack toolkits are responsible, and we’ll see why these are so powerful in the next slide.

The final two are very much part of the same trend as improved skills. There is more intelligence on targets, making the recon stage of an attack easier, and the threats more tailored, but we also saw collaboration among attackers being a major factor. What this adds up to is the big impact the criminal underground has. It is not just independent attacker groups, but online forums, just like we have for our organizations. Except on these, malware is traded/sold, techniques are shared and perfected, and attackers can learn from each other

Toolkits automate the entire process, and have become increasingly sophisticated. They can be crafting to do essentially anything, usable by anyone, without much technical skill. Dark Comet and Poison Ivy are two well-known examples, which have been used in some very high-profile attacks, including against Syrian activities and government organizations. They aren’t just for the “easy targets.”

Now that we understand how powerful these toolkits can be, let’s dive into the report findings on how they have evolved.

The data here proves our hypothesis: toolkits are highly effective, and make being an attacker much easier you can see how nearly 70% cited how using a toolkit make it easier to be an attack, with 64% saying they are highly effective. Given this, what is concerning is the scale at which they have been increasing in popularity, with the study finding 63% cited increased usage. Lastly, and most importantly, is their relative low cost. With only $1,387 spent by attackers on average, we can see how they can act as force multipliers in the threat landscape. It is also important to note that attackers ARE buying these. They are serious applications with developers, support, and an entire ecosystem out there. There are even attackers following usage-based models for their software! Rent a botnet, ransomware as a service. Consider how this compares with the Enterprise software you use and purchase.

The survey found that the average attacker is making less than $30,000 on an annual basis! It literally doesn’t pay to be the bad guy, as this is about one quarter of the annual salary of a Cybersecurity professional. There have been many cases of former attackers turning around and applying the skills they learned to help the security community. Not only this, but we have such a need for talented security operators, that leveraging this group to help defend the network, rather than attack, is good business for everyone. Think about Pentesters who really know how to break into networks, application security developers who know how to find vulnerabilities.

You also must consider the legal risk of being an attacker, which can include large fines and jail time. The question we must ask is how can we convert attackers into good guys? Paying them well is a good start.

Now we come to the most important finding in the report: How can we deter attacks. Some of the findings may be surprising to you. Delaying an attacker by less than 2 days (40 hours) will deter 60% of attacks. Think about an average week, and how much of an impact this simple addition can have. They will give up and move on to the next opportunistic target after a relatively short time period. Every single security control, policy, and training you deploy will all add to how long it takes them to break it, and it all matters.

It was surprising just how much time is the defining factor to change the adversary’s arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We can interrupt the march toward more and more lower cost attacks, by taking a slightly different perspective on the problem.

Another finding is that companies rates typical took less than 3 total days to breach (70 hours). This is HALF the time is takes for well protected organization, as 140 hours. Combine this finding with the 70% who will walk away when presented with a strong defense, and how adding 40 hours will deter 60% of attacks, the adversary equation can begin to flip in the “good guys” favor.

So now what?

Based on the research, we know that attacks are increasing due to their decreasing cost, which has a number of important factors. We also know that attackers are motivated by profit. With that mindset, we need to think about this challenge from the less of increase the cost of attacks and decreasing their profit motivation. We have split this into three categories:

Remove the profit motivation by forcing adversaries to build custom, expensive attacks each time. It is extremely costly to build new malware, identify new exploits, and constantly change your tactics for every attack.

Automatically identify and prevent new threats. When new attacks are developed, or evolution within current ones, we need to quickly turn them into known threats and block them in real-time. This means all the time and money that was spent to craft something novel is instantly outdated. This needs to be done on the network and the endpoint level.

Finally, you need visibility into your network, whether it is in the cloud, data center, mobile devices, or anywhere in-between. This visibility will allow you to classify the threats and malicious actors attempting to breach your organization, and feed that information into proactive steps to reduce your risk posture.

Certainly there is the possibility of bias in any research. The data behind the research is where to search for internal validity. It is why I question 'any' poll these days, according to what instrument, what questions? Did the questions pass an internal validity and instrument bias test?

For a long time, we've been hearing about the "defender's dilemma," whereby one envisions a single castle, a single defender, and a single attacker. The defender has to make sure that the entire perimeter of the castle is secure, while the attacker needs only find one weak point. But this report does highlight an interesting problem with that metaphor; the real situation is more like Eddie Izzard's jest about American perceptions of Europe:

"We've got tons of them. You think we all live in castles and we do. We've got a castle each. We're up to here with castles. We just long for a bungalow or something."

And if an attack if motivated by profit, then this is a lot less like the defender's dilemma and a lot more like the joke about two people running from a bear. If the attacker who's standing outside your castle can see a weaker spot in someone else's wall, he's going to go over there instead.

Sure, one of the two entities behind this report is a vendor; that's always reason to question the perspective, bias (I won't even say "potential bias"), and conclusions of something like this. But 1, the underlying premises all match with what I've seen elsewhere, 2, the final conclusions make complete sense to me, and 3, while Palo Alto definitely has a motive to produce something that drives their sales, Ponemon has an even stronger motive not to put their name on something that is skewed. Putting out a biased report is not part of Palo Alto's core business, but putting out trustworthy, objective reports IS Ponemon's core business. And just because a conclusion supports a vendor's product sales doesn't automatically mean it's wrong.

And while the report's conclusions don't apply to the minority of attacks which are targeted and well-resourced, it also makes sense that keeping out the larger majority will improve the signal-to-noise ratio of security monitoring inside your environment, and that slowing down even a determined attacker will give you more opportunity to see them coming.

I had a chance to go to a seminar by Professor Nicolas Christin. Some of his work revolves around online crime and the motivators behind it. He has an awesome approach to answering some questions in this area. You should check out his two papers:

"Automatically Detecting Vulnerable Websites Before They Turn Malicious" (along with Kyle Soska)
and
"Traveling the Silk Road: A Measurement Analysis of a Large Anonymous Online Marketplace."

I think are good reads to go with this post, especially when it comes to the attackers' economic reasoning. It drives home how the techniques they use are more driven by money than maybe more than one realizes.

There was no earth shattering or completely new revelation discovery here on top of what the security industry don't already know. Bias? There is always a bias of some sort, however, if you look at the statistics and what the conclusion suggest, you might see what a comprehensive approach together with understanding the economics behind it is not a bad way to solve this problem.